Microsoft Windows 95/WfW smbclient Directory Traversal Vulnerability

1995-10-30T00:00:00
ID EDB-ID:20371
Type exploitdb
Reporter Dan Shearer
Modified 1995-10-30T00:00:00

Description

Microsoft Windows 95/WfW smbclient Directory Traversal Vulnerability. Remote exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/1884/info

Samba is a set of of programs that allow Windows® clients access to a Unix server's filespace and printers over NetBIOS. A directory traversal vulnerability exists in Microsoft's implementation of the SMB file and print sharing protocol for Windows 95 build 490.r6 and Windows for Workgroups.

smbclient normally rejects '/../' sequences in user-supplied pathnames before submitting them to the server. This prevents an attacker from traversing the server's directory tree and accessing files which would normally be inaccessible.

Because the check for '/../' is peformed by smbclient, the server assumes the client is filtering invalid input. However, a modified client can be made to accept the restricted '/../' sequences, appending these characters to filenames and submitting them as a request to the server.

Since the server leaves this input validation up to the client, once the server is provided with path information which contains '/../', it assumes it to be valid. As a result, a directory traversal becomes possible, granting an attacker access to normally-restricted portions of the host's filesystem. This can lead to the disclosure of security-related information, leaving the host open to further compromise.

Connect to a resource using smbclient. 

Issue commands "cd ../" or "cd ..."